This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IDS & IPS: Two Essential Security Measures

To protect business networks, one line of security isn't enough.

What is the best threat management system for a business network? It's a difficult question to answer because threat management isn't about finding a single solution to every problem; it's about layering multiple solutions in a way that offers the best protection against a variety of threats.

When it comes to protecting business networks, a single line of security simply is not enough. Layered security takes advantage of multiple security tools, each designed to defend against a specific kind of attack. Layered security works similarly to having multiple walls or fences surrounding a building rather than relying on a single gate to deter intrusion. If an attack breaches the perimeter defense, then there are still secondary, tertiary, and other defenses in place.

Intrusion-detection systems (IDS) and intrusion-prevention systems (IPS) are two such defenses. Both rely on similar technologies, but each fills a different function, maintains different placement in the network, and defends against different kinds of attacks. To understand this relationship, let's review the specifics of IDS and IPS systems.

What Is an IPS?To keep the metaphor of the network as a building, an IPS is like a security guard. It's an active, in-network presence designed to prevent incoming attacks and stop attacks in progress. The security guard doesn't do much to keep intruders out, but if they find their way inside, the security guard has the power to stop them from doing further damage.

The IPS sits behind the firewall, directly in the communication path of any data attempting access, also known as "inline." As an inline intrusion-detection tool, an effective IPS checks all incoming traffic against known security threats. It does this through a variety of mechanisms, but the two most widely used methods are statistical anomaly-based detection and signature-based detection.

Statistical anomaly-based detection allows prevention systems to take a sample of current network traffic, and then compare it against a predetermined "normal" baseline. To do this, the IPS must be able to establish a behavior profile for the network from which to develop a set of standard operating parameters. When incoming traffic deviates from these parameters, the system takes this as evidence of a possible attack and responds accordingly.

Alternatively, signature-based detection identifies malicious traffic by its unique code. To do this, IPS tools keep and maintain an ever-growing database of code exploits. As known exploits breach the outer defenses, the IPS recognizes them from its database and moves to eliminate them. When the IPS encounters new exploits, it records them for future identification.

Unfortunately, both of these methodologies face the danger of false positives. Signature-based detection that incorporates vulnerability-facing signatures allows for better protection even against unknown exploits, but at an increased risk of misidentifying benign traffic as malicious. Likewise, anomaly-based detection only looks for variations in traffic, leaving little room for legitimate variations. In either case, the end result is a loss of potentially beneficial traffic.

Of course, the IPS is just one layer, and preventing threats is just one part of the equation. Detecting threats falls to the responsibility of IDS tools.

What Is an IDS?An IDS could be thought of as a building's security system. It's a passive security measure. A security alarm can alert security personnel to a threat, but it cannot take direct action against the threat. Likewise, an IDS is limited to identifying possible cyberattacks rather than preventing them.

To detect these threats, the IDS doesn't need to have an in-network presence, meaning it does not sit in the path of incoming data. Instead, IDS tools reside outside the network in an out-of-band, independent data channel. As such, these systems don't need real-time access to data; instead, they review copies of incoming data using an external monitoring device called a network test access point, or tap.

Through the tap, the IDS can examine mirrored data packets from many different points within the network. Data copies are compared to a library of known threats. The goal is to correctly identify malicious traffic before it can proceed further into the network.

An IDS gives security engineers the power to look deep into the network without impeding the flow of network traffic. Properly used, IDS tools can help guard against a variety of threats, including policy violations, information leaks, configuration errors, and unauthorized clients, servers, and applications. This is in addition to protecting against viruses and Trojan-horse attacks.

However, there are some drawbacks to using an IDS. Because the IDS uses data copies, never coming into contact with the original network data, it is incapable of taking direct action against threats. Instead, as the IDS identifies malicious traffic, it logs the incident and sends an alert to the network administrator. It then becomes the administrator's responsibility to take action against the threat.

If attackers are fast enough, or if administrators don't have the requisite experience handling the threat in question, the IDS can do very little to prevent damage to the network.

IDS vs. IPSWith IDS and IPS explained as two different layers of network security — rather than as complete security solutions — it hardly makes sense to try to determine which is the better option. In reality, the most effective solutions are those that incorporate multiple layers into a single, comprehensive security resolution. This approach is known as unified threat management (UTM).

UTM is closely associated with IDS but integrates multiple security features. UTM systems expand upon the more traditional firewall approaches to network safety. By incorporating both intrusion prevention and intrusion detection, along with other security functions, into a single, unified appliance, UTM tools allow for improved security flexibility at reduced costs.

Rather than having to purchase and maintain multiple boxes at different points throughout the network, organizations can deploy a UTM solution to handle their entire network security. Effective UTM devices operate inline, and are capable of filtering, analyzing, and reporting, along with load balancing and intrusion prevention. UTM solutions are designed with simplicity in mind and sometimes aren't complex enough to handle certain complicated threats. At the same time, if the device fails or requires any sort of extensive maintenance, then the link will need to be disconnected, resulting in potentially damaging network downtime.

IDS, IPS, and even UTM solutions all have their drawbacks, but with the right tools, those drawbacks can be overlooked. As modern threat management systems adapt to combat the dangers of malicious data in motion across networks, it's becoming clear that current solutions are simply not enough.

What is the best threat management system for a business network? One that incorporates IDS and IPS solutions and that has been optimized for deep visibility and superior protection.

Diana Shtil is a seasoned marketing professional with a track record for developing go-to-market strategy, executing product launches and generating content that drives awareness and purchase consideration. Prior to joining Gigamon, Diana has worked within the wireless ... View Full Bio

In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...

In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.